US7877493B2ExpiredUtilityA1
Method of validating requests for sender reputation information
Est. expiryMay 5, 2025(expired)· nominal 20-yr term from priority
Inventors:Daniel J. Quinlan
H04L 51/234G06Q 10/107H04L 61/4511H04L 51/212H04L 63/123H04L 63/145H04L 63/126
92
PatentIndex Score
20
Cited by
99
References
28
Claims
Abstract
A method of validating queries for reputation scores of message senders comprises receiving, from a first host computer, a DNS format query to obtain a reputation score associated with a second host computer, wherein the query includes an authentication code; validating the authentication code; and only when validating the authentication code is successful, performing a DNS lookup in a reputation database and returning a DNS response that provides the reputation score associated with the second host computer.
Claims
exact text as granted — not AI-modified1. An apparatus, comprising:
a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
a processor;
one or more stored sequences of instructions which, when executed by the processor, cause the processor to perform:
storing in the apparatus a secret string; wherein the secret string and a message authentication code algorithm identifier are distributed to a first host computer;
receiving, from the first host computer, a DNS format query to obtain a reputation score associated with a second host computer,
wherein the query includes a first authentication code that has been computed at the first host computer by executing the message authentication code algorithm over the secret string;
wherein the DNS format query comprises an inverted Internet Protocol (IP) address of the second host computer concatenated with the first authentication code of the first host computer;
in response to determining that the first host computer has a valid customer license to use services from the apparatus and that the customer license has not expired, validating the first authentication code by:
computing, at the apparatus, a second authentication code by executing the message authentication code algorithm over the secret string, both stored in the apparatus, and
determining that the validation is successful if the first authentication code and the second authentication code match;
only when the first host computer has the valid customer license to use services from the apparatus, the customer license has not expired, and validating the first authentication code is successful, performing a DNS lookup in a reputation database and returning a DNS response that provides the reputation score associated with the second host computer;
wherein the DNS lookup comprises determining which of paranoid, cautious, moderate and aggressive characteristics describes the second host computer.
2. The apparatus of claim 1 , further comprising sequences of instructions which, when executed by the processor, cause the processor to perform sending an NXDOMAIN record to the first host computer when validating the first authentication code is unsuccessful.
3. The apparatus of claim 1 , further comprising sequences of instructions which, when executed by the processor, cause the processor to perform determining whether the first host computer is listed in a blacklist, and sending an NXDOMAIN record to the first host computer without validating the authentication code when the first host computer is listed in the blacklist.
4. The apparatus of claim 1 , further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
establishing a master domain and a plurality of subdomains, wherein each of the subdomains is associated with a respective customer group;
receiving the DNS format query from the first host computer at a particular subdomain that is associated with a particular customer group, wherein the first host computer is associated with the particular customer group, wherein the DNS format query includes an identifier of the particular customer group.
5. The apparatus of claim 4 , further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
retrieving configuration information associated with the particular customer group, wherein the configuration information for the particular customer group maps one or more discrete sets of reputation values to respective responsive actions;
determining, by mapping the reputation score for the second host computer to one of the discrete sets in the configuration information, a particular responsive action; and
performing the particular responsive action.
6. The apparatus of claim 1 , further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
creating and storing, in a log file, a log entry that identifies the first host computer and whether validation of the DNS format query was successful;
periodically reading the log file, determining whether the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer, and adding the first host computer to a blacklist when the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer.
7. The apparatus of claim 1 , further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
retrieving configuration information associated with the first host computer, wherein the configuration information identifies a time in which the first host computer is allowed to send queries;
determining whether the time has expired;
adding the first host computer to a blacklist when the time has expired.
8. An apparatus, comprising:
one or more processors;
a non-transitory computer-readable storage medium storing one or more sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform:
storing in the apparatus a secret string; wherein the secret string and a message authentication code algorithm identifier are distributed to a first host computer;
receiving, from the first host computer, a DNS format query to obtain a reputation score associated with a second host computer,
wherein the query includes a first authentication code that has been computed at the first host computer by executing the message authentication code algorithm over the secret string,
wherein the DNS format query comprises an inverted Internet Protocol (IP) address of the second host computer concatenated with the first authentication code of the first host computer;
determining whether the first host computer is allowed to use services from the apparatus;
validating the first authentication code in response to the determining that the first host computer has a valid customer license to use services from the apparatus and that the customer license has not expired, by:
computing, at the apparatus, a second authentication code by executing the message authentication code algorithm over the secret string, both stored in the apparatus, and
determining that the validation is successful if the first authentication code and the second authentication code match; and
performing a DNS lookup in a reputation database and returning a DNS response that provides the reputation score associated with the second host computer only when the first host computer has the valid customer license to use services from the apparatus, the customer license has not expired, and validating the first authentication code is successful;
wherein the DNS lookup comprises determining which of paranoid, cautious, moderate and aggressive characteristics describes the second host computer.
9. The apparatus of claim 8 , wherein the non-transitory computer-readable storage medium further comprises instructions which, when executed, cause the one or more processors to perform sending an NXDOMAIN record to the first host computer when validating the first authentication code is unsuccessful.
10. The apparatus of claim 8 , wherein the non-transitory computer-readable storage medium further comprises instructions which, when executed, cause the one or more processors to perform determining whether the first host computer is listed in a blacklist, and sending an NXDOMAIN record to the first host computer without validating the authentication code when the first host computer is listed in the blacklist.
11. The apparatus of claim 8 , wherein the non-transitory computer-readable storage medium further comprises instructions which, when executed, cause the one or more processors to perform:
establishing a master domain and a plurality of subdomains, wherein each of the subdomains is associated with a respective customer group;
receiving the DNS format query from the first host computer at a particular subdomain that is associated with a particular customer group, wherein the first host computer is associated with the particular customer group, wherein the DNS format query includes an identifier of the particular customer group.
12. The apparatus of claim 11 , wherein the non-transitory computer-readable storage medium further comprise instructions which, when executed, cause the one or more processors to perform:
retrieving configuration information associated with the particular customer group, wherein the configuration information for the particular customer group maps one or more discrete sets of reputation values to respective responsive actions;
determining, by mapping the reputation score for the second host computer to one of the discrete sets in the configuration information, a particular responsive action; and
performing the particular responsive action.
13. The apparatus of claim 8 , wherein the non-transitory computer-readable storage medium further comprises instructions which, when executed, cause the one or more processors to perform:
creating and storing, in a log file, a log entry that identifies the first host computer and whether validation of the DNS format query was successful;
periodically reading the log file, determining whether the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer, and for adding the first host computer to a blacklist when the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer.
14. The apparatus of claim 8 , wherein the non-transitory computer-readable storage medium further comprises instructions, which when executed, cause the one or more processors to perform:
retrieving configuration information associated with the first host computer, wherein the configuration information identifies a time in which the first host computer is allowed to send queries;
determining whether the time has expired;
adding the first host computer to a blacklist when the time has expired.
15. A machine-implemented method comprising:
storing in an apparatus a secret string; wherein the secret string and a message authentication code algorithm identifier are distributed to a first host computer;
receiving, from the first host computer, a DNS format query to obtain a reputation score associated with a second host computer,
wherein the query includes a first authentication code that has been computed at the first host computer by executing the message authentication code algorithm over the secret string;
wherein the DNS format query comprises an inverted Internet Protocol (IP) address of the second host computer concatenated with the first authentication code of the first host computer;
in response to determining that the first host computer has a valid customer license to use services from the apparatus and that the customer license has not expired, validating the first authentication code by:
computing, at the apparatus, a second authentication code by executing the message authentication code algorithm over the secret string, both stored in the apparatus, and
determining that the validation is successful if the first authentication code and the second authentication code match;
only when the first host computer has the valid customer license to use services from the apparatus, the customer license has not expired, and validating the first authentication code is successful, performing a DNS lookup in a reputation database and returning a DNS response that provides the reputation score associated with the second host computer;
wherein the DNS lookup comprises determining which of paranoid, cautious, moderate and aggressive characteristics describes the second host computer;
wherein the method is performed by one or more processors.
16. The method of claim 15 , further comprising sending an NXDOMAIN record to the first host computer when validating the first authentication code is unsuccessful.
17. The method of claim 15 , further comprising determining whether the first host computer is listed in a blacklist, and sending an NXDOMAIN record to the first host computer without validating the authentication code when the first host computer is listed in the blacklist.
18. The method of claim 15 , further comprising:
establishing a master domain and a plurality of subdomains, wherein each of the subdomains is associated with a respective customer group;
receiving the DNS format query from the first host computer at a particular subdomain that is associated with a particular customer group, wherein the first host computer is associated with the particular customer group, wherein the DNS format query includes an identifier of the particular customer group.
19. The method of claim 18 , further comprising:
retrieving configuration information associated with the particular customer group, wherein the configuration information for the particular customer group maps one or more discrete sets of reputation values to respective responsive actions;
determining, by mapping the reputation score for the second host computer to one of the discrete sets in the configuration information, a particular responsive action; and
performing the particular responsive action.
20. The method of claim 15 , further comprising:
creating and storing, in a log file, a log entry that identifies the first host computer and whether validation of the DNS format query was successful;
periodically reading the log file, determining whether the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer, and adding the first host computer to a blacklist when the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer.
21. The method of claim 15 , further comprising:
retrieving configuration information associated with the first host computer, wherein the configuration information identifies a time in which the first host computer is allowed to send queries;
determining whether the time has expired;
adding the first host computer to a blacklist when the time has expired.
22. A non-transitory computer-readable volatile or non-volatile storage medium storing one or more sequences of instructions, which when executed by one or more processors, cause the one or more processors to carry out the steps of:
storing in an apparatus a secret string; wherein the secret string and a message authentication code algorithm identifier are distributed to a first host computer;
receiving, from the first host computer, a DNS format query to obtain a reputation score associated with a second host computer,
wherein the query includes a first authentication code that has been computed at the first host computer by executing the message authentication code algorithm over the secret string;
wherein the DNS format query comprises an inverted Internet Protocol (IP) address of the second host computer concatenated with the first authentication code of the first host computer;
in response to determining that the first host computer has a valid customer license to use services from the apparatus and that the customer license has not expired, validating the first authentication code by:
computing, at the apparatus, a second authentication code by executing the message authentication code algorithm over the secret string, both stored in the apparatus, and
determining that the validation is successful if the first authentication code and the second authentication code match;
only when the first host computer has the valid customer license to use services from the apparatus, the customer license has not expired, and validating the first authentication code is successful, performing a DNS lookup in a reputation database and returning a DNS response that provides the reputation score associated with the second host computer;
wherein the DNS lookup comprises determining which of paranoid, cautious, moderate and aggressive characteristics describes the second host computer.
23. The computer-readable medium of claim 22 , further comprising sequences of instructions which, when executed by the processor, cause the processor to perform sending an NXDOMAIN record to the first host computer when validating the first authentication code is unsuccessful.
24. The computer-readable medium of claim 22 , further comprising sequences of instructions which, when executed by the processor, cause the processor to perform determining whether the first host computer is listed in a blacklist, and sending an NXDOMAIN record to the first host computer without validating the authentication code when the first host computer is listed in the blacklist.
25. The computer-readable medium of claim 22 , further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
establishing a master domain and a plurality of subdomains, wherein each of the subdomains is associated with a respective customer group;
receiving the DNS format query from the first host computer at a particular subdomain that is associated with a particular customer group, wherein the first host computer is associated with the particular customer group, wherein the DNS format query includes an identifier of the particular customer group.
26. The computer-readable medium of claim 25 , further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
retrieving configuration information associated with the particular customer group, wherein the configuration information for the particular customer group maps one or more discrete sets of reputation values to respective responsive actions;
determining, by mapping the reputation score for the second host computer to one of the discrete sets in the configuration information, a particular responsive action; and
performing the particular responsive action.
27. The computer-readable medium of claim 22 , further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
creating and storing, in a log file, a log entry that identifies the first host computer and whether validation of the DNS format query was successful;
periodically reading the log file, determining whether the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer, and adding the first host computer to a blacklist when the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer.
28. The computer-readable medium of claim 22 , further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
retrieving configuration information associated with the first host computer, wherein the configuration information identifies a time in which the first host computer is allowed to send queries;
determining whether the time has expired.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.